Пользователь пока ничего не рассказал о себе

Достижения

Все достижения (5)

Наибольший вклад в теги

Все теги (53)

Лучшие ответы пользователя

Все ответы (41)
  • Как выводить ответ systemctl в терминал?

    box4
    @box4
    используйте && или ||
    например systemctl restart httpd.service || echo "ошибка при перезапуске"
    или systemctl restart httpd.service && echo "демон перезапустился"
    Ответ написан
  • ПО для анализа пакетов?

    box4
    @box4
    Выявление ддос это наверное мониторинг сервиса
    Ответ написан
  • Где посмотреть примеры правил корреляции (use cases) для SIEM?

    box4
    @box4
    для начало:

    Events of Interest

    User Authentication Rules and Alerts
    1. Repeat Attack-Login Source
    Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
    Trigger: Alert on 3 or more failed logins in 1 minute from a single host.
    Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications

    2. Repeat Attack-Login Target
    Goal: Early warning for brute force attacks, password guessing, and misconfigured applications.
    Trigger: Alert on 3 or more failed logins in 1 minute on a single user ID
    Event Sources: Active Directory, Syslog (Unix Hosts, Switches, Routers, VPN), RADIUS, TACACS, Monitored Applications.

    Attacks Detected on the Network
    3. Repeat Attack-Firewall
    Goal: Early warning for scans, worm propagation, etc
    Trigger: Alert on 15 or more Firewall Drop/Reject/Deny Events from a single IP Address in one minute.
    Event Sources: Firewalls, Routers and Switches

    4. Repeat Attack-Network Intrusion Prevention System
    Goal: Early warning for scans, worm propagation, etc
    Trigger: Alert on 7 or more IDS Alerts from a single IP Address in one minute.
    Event Sources: Network Intrusion Detection and Prevention Devices

    Attacks and Infections Detected at the Host Level
    5. Repeat Attack-Host Intrusion Prevention System
    Goal: Find hosts that may be infected or compromised (exhibiting infection behaviors).
    Trigger: Alert on 3 or more events from a single IP Address in 10 minutes
    Event Sources: Host Intrusion Prevention System Alerts

    Virus Detection/Removal
    6. Virus or Spyware Detected
    Goal: Alert when a virus, spyware or other malware is detected on a host.
    Trigger: Alert when a single host sees an identifiable piece of malware
    Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

    7. Virus or Spyware Removed
    Goal: Reduce alerts and warnings, if after detection, anti-virus tools are able to remove a known piece of malware.
    Trigger: Alert when a single host successfully removes a piece of malware
    Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

    8. Virus or Spyware Detected but Failed to Clean
    Goal: Alert when >1 Hour has passed since malware was detected, on a source, with no corresponding virus successfully removed.
    Trigger: Alert when a single host fails to auto-clean malware within 1 hour of detection.
    Event Sources: Anti-Virus, HIPS, Network/System Behavioral Anomaly Detectors

    Attacks from Unknown/Untrusted Sources
    The use of periodic automatically updated lists of known attackers and malware sources applied to these correlations is highly preferred.
    9. Repeat Attack-Foreign
    Goal: Identify remote attackers before they make it into the network. Identify "back scatter" pointing to attacks that may have not been detected by other sources.
    Secondary Goal: This rule also identifies new networks with active hosts that have been added to the internal network, but not reported or configured within the SIEM and/or other security tools.
    Trigger: Alert on 10 or more failed events from a single IP Address that is not part of the known internal network.
    Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

    10. Known Attacker Allowed in Network
    Goal: Identify allowed traffic form known "Black listed" sources. If the source is known to be a source of malware or an attack, identify and alert if that source is every allowed into the network,
    while conversely filtering out/ignoring "drop/reject/deny" events from these sources when our defenses properly block the traffic.
    Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), events from an IP Address that is not part of the known network and is known to have/use malware.
    Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events

    11. Traffic to Known Attacker
    Goal: Identify traffic from an internal address to known "black listed" destination is known to be a source of malware or an attack, identify and alert if traffic is ever allowed to that destination, or if repeat attempts (>5) are detected even when the traffic is blocked. This may indicate an infected host trying to call home.
    Trigger: Alert on ANY Allowed (i.e. Firewall Accept, Allowed Login), event to an IP Address that is not part of the known network and is known to have/use malware.
    Alternate Trigger: Alert on 5 or more drops from an internal source to any known attacker, or 1 Accept/Allow.
    Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.

    High Threat
    12. High Threat Targeting Vulnerable Asset
    Goal: Identify threats in real time that are likely to compromise a host. Vulnerability data has shown the host to be vulnerable to the inbound attack being detected by NIPS.
    Trigger: Any event from a single IP Address targeting a host known to be vulnerable to the attack that`s inbound.
    Event Sources: NIPS events, Vulnerability Assessment data

    13. Repeat Attack-Multiple Detection Sources
    Goal: Find hosts that may be infected or compromised detected by multiple sources (high probability of true threat).
    Trigger: Alert on ANY second threat type detected from a single IP Address by a second source after seeing a repeat attack. (i.e. Repeat Firewall Drop, followed by Virus Detected)
    Event Sources: Firewall, NIPS, Anti-Virus, HIPS, Failed Login Events.

    14. Possible Outbreak - Excessive Connections
    Goal: Find hosts that may be infected or compromised by watching for a host to connect to a large number of destinations.
    Trigger: Alert when a single host connects to 100 or more unique targets in 1 minute (must apply white lists for known servers to avoid false positives, and destination port !=80).
    Event Sources: Firewall, NIPS, Flow Data, and Web Content Filters.

    15. Possible Outbreak - Multiple Infected Hosts Detected on the Same Subnet
    Goal: Alert on the detection of malware before it spreads beyond a limited number of hosts.
    Trigger: Alert when 5 or more hosts on the same subnet trigger the same Malware Signature (AV or IDS) within a 1 hour interval.
    Event Sources: Anti-Virus, HIPS, NIPS.

    Web Servers (IIS, Apache)
    16. Suspicious Post from Untrusted Source
    Goal: Alert when dangerous content (executable code) is posted to a web server.
    Trigger: Files with executable extensions (cgi, asp, aspx, jar, php, exe, com, cmd, sh, bat), are posted to a web server (internal/dmz address), from an external source
    Event Sources: Internet Information Server and Apache Logs

    Monitored Log Sources
    17. Monitored Log Source Stopped Sending Events
    Goal: Alert when a monitored log source has not sent an event in 1 Hour (variable time based on the device).
    Trigger: Log collection device must create an event periodically to show how many events have been received, and that this number is >0.
    Event Sources: Log collection device.
    Ответ написан

Лучшие вопросы пользователя

Все вопросы (76)